To comply with the EU GDPR (General Data Protection Regulation), organisations need to map their data flows to assess privacy risks.
Conducting a data flow map forms part of your Article 30 documentation. They are also an essential first step in completing a DPIA (data protection impact assessment).
A data flow map is a graphical representation of the lifecycle of an organisation’s data and the data flows between relevant data controllers and data processors. It serves as a visual representation of how data flows into and out of a processing environment. It also reveals which data categories are involved and where risks and potential breaches might occur.
The mapping demonstrates how policy and processes are used to guide the flow of data. Ideally, the flow of data should start and finish with the person being consistent with the purpose for which it was originally collected.
One of the key elements of a data mapping exercise is looking at the actual purpose of data processing. A data flow map should contain all relevant data, including special categories of personal data.
In addition, the map should identify the systems, services and software involved, and the technical and organisational measures in place to protect that data.
Data mapping is also called data/system asset mapping or data ecosystem mapping. The aim is to gain a complete understanding of the many databases involved in a business’ data processing operations – including the external systems that process and transmit data on the organisation’s behalf.
Gathering information for a data map involves harvesting data from existing tools and documents, such as onsite documents, intranet content, compliance information, tools and process documentation, audit logs, job descriptions, employment contracts, data privacy notices, internal training records and other documents containing information about the data processing environment within the organisation.
It can also provide a useful insight into how your organisation is processing data at an operational level.
Additionally, information can be gathered from the mailing lists, chats, emails, systems and databases that are available for circulation and communication throughout the organisation.
Very often the people in the IT/compliance function have published documents and notices that contain information about data processing. They can be of invaluable help in collecting data for the map.
A list of all the databases along with the context of where personal data resides within each system is critical.
It is important to note that, if you don’t have access to all the information, then you may need to amend the DPO’s request for information and add a question which asks the DPO to elaborate on why that information is not available.
Information that is important to add to the map
This includes:
- The overall purpose for the processing and use of the data;
- The initial source of the data, and if applicable, which third parties supply the data;
- The data flow methodology (and internal and external data flows);
- The data category;
- The data flow route for the personal data;
- The parties responsible for data handling;
- The types of processing and the basis for the processing (legitimate interest, consent, necessity);
- The data storage location; and
- Any data sharing agreements.
How to create a data map
Most people who are involved in the process of mapping data will find that there are tools available to make the task simpler. These commercial tools typically consist of a database with the ability to add notes, a few different ways to search for information and a format to assemble the information into a table. All you need to do is to go through the layers of information you’ve gathered and visualize the data.
In most cases, the actual user experience may be poor, as people don’t want to pour their thoughts into a format that is designed to take less information out. But if you have a lot of information, and need to share it with various parties, then such tools can be a godsend. You can hunt down information, assemble the information into a table and assemble the information into a table all in one place.
The main challenge is to go through the information, visualize and assemble it into the map, then decide how to use it.
Other tools also exist, in the form of Microsoft Visio, a visual flowchart-type program which can be quite powerful. Start with listing the purpose and the main actor and the data. Then delegate the actors into different arrows (sometimes adding in groups) and finally linking that to the purpose of the processing, and detailing the flow of the data.
The point being: Take your time. Try to visualize the flow of information. If you want an excellent dataset, go through as many documents and logs as possible. Then all you have to do is to add that data to the map.
The golden rule: Always use documents for where you have actual wordings, and use tools for the rest.
Many of these tools have the effect of removing ambiguity. You can double check the information from a variety of sources.
So next time you receive an info request, try an information tool before typing up an answer.